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Abstract. String commitment schemes are similar to the well studied bit commitment schemes in 
cryptography with the difference that the committing party, say Alice, is supposed to commit a long 
string instead of a single bit, to another party say Bob. Similar to bit commitment schemes, such 
schemes are supposed to be binding, i.e Alice cannot change her choice after committing, and concealing 
i.e. Bob cannot find Alice's committed string before Alice reveals it. Ideal commitment schemes are 
known to be impossible. Even if some degrees of cheating is allowed, Buhrman, Christandl, Hayden, Lo 
and Wehner [BCH^O70 have recently shown that there are some binding-concealing trade-offs that any 
quantum string commitment scheme (QSC) must follow. They showed trade-offs both in the scenario 
of single execution of the protocol and in the asymptotic regime of sufficiently large number of parallel 
executions of the protocol. 

We present here new trade-offs in the scenario of single execution of a QSC protocol. Our trade-offs 
also immediately imply the trade-off shown by Buhrman et al. in the asymptotic regime. We show our 
results by making a central use of an important information theoretic tool called the substa te theorem 
due to Jain, Radhakrishnan and Sen [JRS02| . Our techniques are quite different from that of [BCH + 07] 
and may be of independent interest. 

Key words: string commitment, quantum channels, observational divergence, relative entropy, substate 
theorem. 

1 Introduction 

Commitment schemes are powerful cryptographic primitives. In a bit commitment scheme Alice, the commit- 
ter is supposed to commit a bit b € {0, 1} to Bob in such a way that after the commit phase she cannot change 
her choice of the committed bit. This is referred to as the binding property. Also at this stage Bob should 
not be able to figure out what the committed bit is. This is referred to as the concealing property. Later in 
the reveal phase Alice is supposed to reveal the bit b and convince Bob that this was indeed the bit which she 
committed earlier. Bit commitment schemes have been very well studied in both the classical and quantum 
models since existence of such schemes imply several interesting results in cryptography. It has been shown 
that bit commitment schemes imply existence of quantum oblivious transfer Yao95j which in turn provides 
a way to do any two-party secure computation Kil88j. They are also useful in constructing zero knowledge 
proofs GolOlJ and imply another very useful cryptographic primitive called secure coin tossing [Blu83| . But 
unfortunately strong negative results are known about them in case Alice and Bob are assumed to possess ar- 
bitrary computation power and information theoretic security is required. In this paper we are concerned with 
this setting of information theoretic security with unbounded computational resources with cheating parties. 
Classically bit commitment schemes are known to be impossible. In the quantum setting several schemes 
were proposed but later several impossibility results were shown |;M ay97|LC97ILC9 8 DKSWQ7]. Negative 
results were also shown for approximate implementations of bit commitment schemes (SR02 DKSW07] in 
which trade-offs were shown for cheating probabilities of Alice and Bob, referred to as binding-concealing 
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trade-offs. Interestingly however Kent [Kcn04 has exhibited that bit-commitment can be achieved using 
relativistic constraints. However we point out that in this work we do not keep considerations of relativity 
into picture and our setting is non-relativistic. 

Now suppose instead of wanting to commit a bit b G {0, 1}, Alice wants to commit an entire string 
x G {0, 1}™. One way to do this might be to commit all the bits of x separately. Binding-concealing trade-offs 
of such schemes will be limited by the binding-concealing trade-offs allowable for bit commitment schemes. 
But it is conceivable that there might exist cleverer schemes which allow for better binding and concealing 
properties? This question was originally raised by Kent Kcn03j. Let us first begin by formally defining 
a quantum string commitment protocol. Our definition is similar to the one considered by Buhrman et 
al. [BCH+07] 

Definition 1 (Quantum string commitment). Let P = {p x : x G {0,1}"} be a probability distribution 
and let B be a measure of information (we define several measures of information later). A (n, a, b) — B — QSC 
protocol for P is a quantum communication protocol [Yao95 LC98 between Alice and Bob. Alice gets an input 
x G {0, 1}" (chosen according to the distribution P), which is supposed to be the string to be committed. The 
starting joint state of the qubits of Alice and Bob is some pure state. There are no intermediate measurements 
during the protocol and Bob has a final checking POVM measurement {M y \y G {0, l} ra }U{/— ~^2 y M y } (please 
see Sec. \Mfor definition of POVMJ to determine the value of the committed string by Alice or to detect her 
cheating. The protocol runs in two phases called the commit phase followed by the reveal phase. The following 
properties need to be satisfied. 

1. (Correctness) Let Alice and Bob act honestly. Let p x be the state of Bob 's qubits at the end of the reveal 
phase of the protocol when Alice gets input x. Then Wx,y TrM y p x — 1 iff x = y and otherwise. 

2. (Concealing) Let Alice act honestly and Bob be possibly cheating. Let o~ x be the state of Bob's qubits 
after the commit phase when Alice gets input x. Then the B information of the ensemble £ — {p x ,o~ x } 
is at most b. In particular this is also true for both Alice and Bob acting honestly. 

3. (Binding) Let Bob act honestly and Alice be possibly cheating. Let c G {0, 1}" be a string in a special 
cheating register C with Alice that she keeps independent of the rest of the registers till the end of the 
commit phase. Let p' c be the state of Bob's qubits at the end of the reveal phase when Alice has c in the 

cheating register. Let p c d = Tr M c p' c . Then for all input strings x, 

]T PcPc < r- n . 

ce{o,i}'* 

The idea behind the above definition is as follows. At the end of the reveal phase of an honest run of the 
protocol Bob figures out x from p x by performing the POVM measurement {M x } U {/— J2 X M x }. He accepts 
the committed string to be x iff M x succeeds and this happens with probability TrM x p x . He declares Alice 
cheating if I — J2 X M x succeeds. Thus due to the first condition, at the end of an honest run of the protocol, 
Bob accepts the committed string to be exactly the input string of Alice with probability 1. The second 
condition above takes care of the concealing property stating that the amount of B information about x 
that a possibly cheating Bob gets is bounded by b. In bit-commitment protocols, the concealing property was 



quantified in terms of the probability with which Bob can guess Alice's bit. Buhrman et al. BCH + 07 in fact 
do consider Bob's probability of guessing Alice's input string as quantifying the concealing property. However 
in the proof of their trade-off result, they consider a related notion of information as a quantification of the 
concealing property. In this paper, we use various notions of information to quantify the concealing property 
of the protocol. The third condition guarantees the binding property. It makes sure that if a cheating Alice 
wants to postpone committing or wants to change her choice at the end of the commit phase, then she cannot 
succeed in making an honest Bob accept her new choice with good probability, for a lot of different strings 
of her choice. 

A few points regarding the above definition are important to note. We assume that the combined state 
of Alice and Bob at the beginning of the protocol is a pure state. Given this assumption, it can be assumed 
without loss of generality (due to the arguments of |Yao 95 LC98]) that it remains a pure state till the 
end of the protocol (in an honest run). This is because Alice and Bob need not apply any intermediate 
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measurements, before Bob applies the final checking POVM at the end of the protocol. Our impossibility 
result makes a critical use of this fact and fails to hold if the starting combined state is not a pure state. 
However, there are no restrictions on the starting pure state shared between Alice and Bob, it could even 
be an entangled state between them. The impossibility result in [BCH + 07] has also been shown under 
this assumption. This assumption has also been made in showing impossibility results for bit-commitment 
schemes |May97|LC97ILC98] . The main reason why these arguments do not work, both for bit commitment 
and string commitment schemes, if the combined state is not a pure state is that the Local Transition Theorem 
(Thm. [H] mentioned later) fails to hold for mixed states. It is conceivable that, and will be interesting to 
see if better QSC schemes exist when Alice and Bob are forced (by some third party say) to start in some 
mixed state. Please look at |DKSW07] for extension of impossibility results for bit-commitment to a very 
large class of protocols. 

1.1 Measures of information 

As we will see later, the notion of information used in the above definition is very important and therefore let 
us briefly define various notions of information that we will be concerned with in this paper. The following 
notion of information, referred to as the quantum mutual information or the Holevo-x information is one of 
the most commonly used. 

Definition 2 (Holevo-x information) . Given a quantum state p, the von-Neumann entropy of p is defined 

as S(p) = — Trplog 2 p. Given quantum states p, o~, the Kullback-Leibler divergence or relative entropy between 

them is defined as S(p\\a) = Trp(log 2 p — log 2 cr). Given an ensemble £ — {p x , Px \, let p d = ^2 x p xPx , then 
its Holevo-x information is defined as 

X(£) = ^2p x {S(p) - S(p x )) = ^2p x S(p x \\p). 

X X 

The following notion captures the amount of information that can be made available to the real world 
through measurements on the quantum encoding of a classical random variable. 

Definition 3 (Accessible information). Let £ = {p x ,p x } be an ensemble and let X be a classical random 
variable such that Pr(X — x) = f p x . Let Y M , correlated with X, be the classical random variable that 
represents the result of a POVM measurement M. performed on £ . The accessible information I acc {£) of the 
ensemble £ is then defined to be 

7 acc (£) = mzxI(X:Y M ). (I) 

M 

As mentioned before Buhrman et al. used Bob's probability of guessing Alice's input string as the measure 
of concealment of the protocol. However in the proofs of their impossibility result, they used the following 
notion of information. 

Definition 4 (£ information [BCH+07]). The £ information of an ensemble £ = {p x ,p x } is defined as 

m ^ n + \og 2 J2Tr( Px p-^ Px ? 

X 

where p = J2 x PxPx- 

Let q x be the probability that Bob correctly guesses Alice's input string x (with Alice honest) before the start 
of the reveal phase. |BCH + 07] showed that any (n,a,b) — QSC protocol with J2 x e{o u« <fc < 2^, is also a 
(n, a, b) — £ — QSC protocol. Hence their impossibility results for (n, a, b) — £ — QSC protocols implied same 
impossibility results for (n, a, b) — QSC protocols with X)^e{o i}™ 1 X — ^ ■ 

In this paper we also consider a notion of divergence information. It is based on the following notion of 
distance between two quantum states, considered by Jain, Radhakrishnan and Sen [JRS02 . 
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Definition 5 (Observational divergence [JRS02]). Let p,a be two quantum states. The observational 
divergence between them denoted D(p\\a), is defined as, 

rv ii \ def tu i TrMp 
Dip c) = max TrAiplog,— . 

M:POVM element TVM<7 

The definition of divergence information of an ensemble is similar to the Holevo-x information except the 
notion of distance between quantum states used is now observational divergence instead of relative entropy. 

Definition 6 (Divergence information). Let £ — {p x ,p x } be an ensemble and let p = f ^2 x p x p x . Its 
divergence information is defined 

V{£) d ^ ^DO^Hp). 



1.2 Previous results 

The impossibility of a strong string commitment protocol, in which both a, b are required to be 0, is imme- 
diately implied by the impossibility of strong bit-commitment protocols. The question of a trade-off between 
a and b was studied by Buhrman et al. They studied this trade-off both in the scenario of single execution 
of the protocol and also in the asymptotic regime with several parallel executions of the protocol. In the 
scenario of single execution of the protocol they showed the following result. 

Theorem 1 ([BCH + 07]). For single execution of the protocol of a (n, a, 6)-£-QSC ; a + b + 5 log 2 5 — 4 > n. 

This then (as argued before) implied similar trade-off for a (n, a, 6)-QSC with X^g{o i} n 1 X — ^ (where 
q x be the probability that Bob correctly guesses Alice's input string x, with Alice honest, before the start 
of the reveal phase.) In the asymptotic regime they showed the following result in terms of the Holevo-x 
information. 

Theorem 2 ([BCH+07]). Let LI be a (n, *, b) — x ~~ QSC scheme. Let LI m represent m parallel executions 

def 

of LI . Let a m represent the binding parameter of Lt m and let a = linim^oo ^ . Then, a + b > n. 

There are two reason why Thm. [2] may appear stronger than Thm. [TJ One because there is no additive 
constant and the other because for many ensembles £, x(£) — as we show in Sec. [5] In fact, as we also 
show in Sec. El there exists ensembles £ for which £(£) is exponentially (in n) larger than x(£)- 

Along with these impossibility results Buhrman et al. interestingly also showed that if the measure of 
information considered is the accessible information, the above trade-offs no longer hold. For example there 
exists a QSC scheme where a = 41og 2 n + 0(1) and b — 4 when measure of information is the accessible 
information. This therefore asserts that the choice of measure of information is crucial to (im)possibility. 
Previously Kent [Ken03 also exhibited trade-offs for some schemes on Alice's probability of cheating and the 
amount of accessible information that Bob gets about the committed string. However he did not allow Alice 
to be arbitrarily cheating, in particular Alice could not have started with a superposition of strings in the 
input register. Therefore the schemes that he considered were truly not QSCs as we have defined them. 

1.3 Our results 

We show the following binding-concealing trade-off for QSCs. 

Theorem 3. For single execution of the protocol of a (n, a,b) — T> — QSC scheme, 

a + b + 8VbTT + 16 > n. 

It was shown by Jain, Radhakrishnan and Sen JRS02J that for any two states p, a, D(p\\a) < S(p||<r) + 1, 
which implies from Defn. [2] and [5] that for any ensemble £,T)(£) < x(£) + 1. This immediately gives us the 
following impossibility result in terms of Holevo-x information. 
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Theorem 4. For single execution of the protocol of a (n, a, b) — x ~ QSC scheme 

a + b + 8Vb + 2 + 17 > n. 

We also consider the notion of maximum possible divergence information (similar to the notion of maxi- 
mum possible Holevo-x information considered by Jain |Jai06] ) of an encoding E : x i— ► p x . For a probability 

distribution p d = {p x } over {0, 1}™, let the ensemble £^{E) = f {p x ,p x }. Let p^ = f ^2 x PxPx- 

Definition 7. (Maximum possible divergence information) Maximum possible divergence information of an 
encoding E : x ^ p x is defined as T>(E) = f max M D{£^(E)). 

We show the following theorem which states that if the maximum possible divergence information in the 
qubits of Bob at the end of the commit phase is small then Alice can actually cheat with good probability 
for any string x S {0, 1}" and not just on the average. 

Theorem 5. For a QSC scheme let a x be as in Defn. [7] when Alice and Bob act honestly in the commit 
phase. If for the encoding E : x i— > a x ,'D(E) < b then for all strings c € {0, 1}", 

n > o-(6+8V&+T+16) 
Pc H & i 

where p c (as in Defn. QJ) represents the probability of successfully revealing string c (in the cheating string) 
by cheating Alice. 

Again using the fact that for all ensembles D(p||er) < S(p||cr) + 1 we immediately get the following theorem 
in terms of maximum possible Holevo-x information x(-E) (which is similar to maximum possible divergence 
information and obtained by just replacing divergence with relative entropy.) 

Theorem 6. For a QSC scheme let a x be as in Defn. [7] when Alice and Bob act honestly in the commit 
phase. If for the encoding E : x <— > o- x ,x(E) < b then for all strings c G {0, 1}™, 

- > 9 -(6+8 v / FF2+17) 
Pc H & i 

where p c (as in Defn. QP represents the probability of successfully revealing string c (in the cheating string) 
by cheating Alice. 

Now let us now discuss some aspects of our results. 

1. In Thm. [4] the trade-off between a and b is similar (up to lower order terms of b) to the one shown by 
Bum-man et al. |BCH+07j as in Thm. [TJ However the fact that b in Thm. H] represents the Holevo-x 
information instead of the ^-information (as in Thm. [I} makes it significantly stronger in certain cases 

as follows. We show in Sec. [A] that for any ensemble £ == {2~ n ,p x }, where for all x, p x commutes with 

p d = *}2 x 2~ n p x , we have, £(£) > x(£). In fact, as we also show in Sec. El there exists ensembles E 
for which £(£) is exponentially (in n) larger than x(£)- Thm. [4] therefore becomes much stronger than 
Thm.[T]for ensembles where £(£) 3> x(£). 

2. As mentioned before, Jain, Radhakrishnan and Sen [JRS02 have shown that for any ensemble £, T>(£) < 
X{£ ) + 1. However recently, Jain, Nayak and Su [JNS08] have shown that there exists ensembles £ such 
that x(£) 3* ^ (£) (x(£) = ^(l°g2 n ' ^(£)) f° r some ensembles £ supported on {0, 1}™). For ensembles 
where this holds, Thm. [3] becomes much stronger than Thm. |4] 

3. As we show in Sec.[3j our one shot result Thm. [4] immediately implies the asymptotic result Thm. [2] of 
Buhrman et al. 

4. No counterparts of Thm. [5]and Thm. [S]were shown by Buhrman et al. and are therefore completely new. 

5. If b is large then the cheating attack (that we present) of Alice would succeed with low probability 
(like 2~ b ). However, as we show in a remark in Sec. (3J in case Alice's cheating attack succeeds with low 
probability, she would still be able to 'reverse' her cheating operations and reveal, with a high probability, 
at least some x' £ {0, 1}" to Bob. That is, with a high probability, Alice will be able to prevent herself 
from being detected cheating by Bob. 
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6. It is easily seen that up to lower order terms in b, the above trade-offs are achieved by trivial protocols. 
For Thm. [3] above consider the following protocol. Alice in the concealing phase sends the first b bits of 
the n-bit string x. In this case Bob gets to know b bits of divergence information about x. In the reveal 
phase a cheating Alice can now reveal any of the 2 n ~ b strings x (consistent with the first b bits being 
the ones sent) with probability 1. Hence a — log 2 2™~ b = n — b. For Thm. [5] above let Alice send one of 
the 2 b strings s e {0, l} b uniformly to Bob representing the first b bits of x. The condition of Thm. [5] is 
satisfied. Now if in the reveal phase she wants to commit any x, she can do so with probability 2"~ b (in 
the event that the sent s is consistent with x). 

In the next section we state some quantum information theoretic facts that will be useful in the proofs 
of the impossibility results that we present in Sec. [3] 

2 Preliminaries 

All logarithms in this paper are taken with base 2 unless otherwise specified. Let Ti., JC be finite dimensional 
Hilbert spaces. For a linear operator A let \A\ = V A^A and let TrA denote the trace of A. Given a state 
p € Ti and a pure state \<p) £ Ti <S> JC, we call \<j>) a purification of p iff Tr>c|<^)(</>| = p. A positive operator- 
valued measurement (POVM) element M is a positive semi-definite operator such that I — M is also positive 
semi-definite, where / is the identity operator. A POVM is defined as follows. 

Definition 8 (POVM). An m valued POVM measurement M on a Hilbert space Ti is a set of operators 
{Mi,i G [to]} on Ti such that Vi,Mj is positive semi-definite and X3j g r m i Mi — I where I is the identity 
operator on Ti. A classical random variable Y M representing the result of the measurement M. on a state p 
is an to valued random variable such that Vi € [to], Pr[l^ = i] = f TrMip. 

Following fact follows easily from definition of von-Neumann entropy. 

Lemma 1. Let pi, p 2 &e quantum states. Then S{p\ (g> p 2 ) — S(/?i) + S(p 2 )- 

We make a central use the following information-theoretic result called the substate theorem due to Jain, 
Radhakrishnan, and Sen [JRS02]. 

Theorem 7 (Substate theorem, [JRS02]). LetH,IC be two finite dimensional Hilbert spaces and dim(/C) > 
dim(7i). Let C 2 denote the two dimensional complex Hilbert space. Let a, r be density matrices in Ti. such that 
D(ct||t) < oo. Let \a) be a purification of a in 7i®K. Then, for r > 1, there exist pure states \4>), \9) £ Ti®K, 
and \ f) € 7~C (8 JC ® C 2 7 depending on r, such that |r) is a purification of t and Tr||cr)((j| — < 
where 

\r) = \[^\m + ^- r -^\d)\o) 

and k d = D(ct||t) +6 v /D(ct||t) + 1 + 4. 
Remarks: 

1. In the above theorem if the last qubit in \ f) is measured in the computational basis, then probability of 
obtaining 1 is (1 — l/r)2~ rfc . 

2. Later in a proof below we will let a p c , r d = ps and |er) = f \<j) c ) which will be explained later. 

Following theorem is implicit in TIJW93 May97 LC9 7ILC98| although not called explicitly by the same 
name. 

Theorem 8 (Local transition theorem). Let p be a quantum state in JC. Let \(f>i) and |0 2 ) be two 
purification of p in 7i<X>/C. Then there is a local unitary transformation U acting on TL such that (U®L)\<j)i) = 
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We would also need the following theorem which follows from arguments similar to the one in Jain Jai06 
for a similar theorem about relative entropy. 

Theorem 9. Let X be a finite set. Let E : x i— > p x be an encoding. Let T>(E) < b, then there exists a 

def 

distribution p = {q x } on X such that 

VxeX, D( Px \\ P ) < b, 

where p d = J2 X QxPx- 

The following theorem is shown by Helstrom |Hel67j . 

Theorem 10. Given two quantum states p and a, the probability of identifying the correct state is at most 
1 _|_ Ti "Ip^ CT I j or i n other words the probability of distinguishing them is at most Tr ^ P 2 °^ . 



3 Proofs of impossibility 

Proof of Thm. [3} Let us consider a QSC scheme and let Alice get input x. After an honest run of the commit 
phase, let \<p x ) be the combined state of Alice and Bob and p x be the state of Bob's qubits. Let £ = {p x , px}- 
From the concealing property of the QSC it follows D(£) < b. Let c be the string in the cheating register C of 
Alice. Consider a cheating run of the protocol by Alice in which she starts with the superposition iYpx~\x) 
in the input register and proceeds with the rest of the commit phase as before in the honest protocol. Let 
Bob be honest all throughout our arguments. Since the input is classical and Alice can make its copy we can 
assume without loss of generality that the operations of Alice in the honest run are such that they do not 
disturb the input register. Let \if>) be the combined state of Alice and Bob in this cheating run at the end of 
the commit phase. Let A, B correspond to Alice and Bob's systems respectively. Now it can be seen that in the 
cheating run, at the end of the commit phase the qubits of Bob are in the state pb — Tr y 4|^)(^>| = 2Z x p x px- 
Let r > 1 to be chosen later. Let us now invoke substate theorem (Thm. [7J by putting a = f p c , \a) = f \<f> c ), 

t d = pb and r = f r. Let \ip c ) = f |r) be obtained from Thm. [7] such that the extra single qubit register 
C 2 is also with Alice. Since Tr^|^> c )(^> c | = Trji\ip){ip\ = pb, from Local transition theorem (Thm. [Sj) there 
exists a unitary transformation A c acting just on Alice's system A such that (A c ® Ib)\4>) = \ipc), where 1b 
is the identity transformation on Bob's system. Now the cheating Alice (who's intention is to reveal string 
c), applies the transformation A c to and then continues with the rest of the reveal phase as in the 

honest run. Let \(f>' c ) d = \cj>) be obtained from Thm. [7] and hence, Tr||0 c )(</> c | — |0' c )(</>cll < l/yfr. Now it can 
be seen that when Bob makes the final checking POVM, the probability of success p c for Alice is at least 
(1 — l/r)2~ rkc {l — 1/^/r) where k c = D(p c \\pb) + 6^D(p c \\pb) + 1 + 4. One way to see this is to imagine 
that Alice first measures the single qubit register C 2 and then proceeds with the rest of the reveal phase. 
Now imagine that she obtains one on this measurement which from Thm. [Jjhas probability (1 — l/r)2~' rfec . 
Also once she obtains one, the combined joint state of Alice and Bob is \</>' c ) whose trace distance with \<j> c ) 
is at most 2/ ^/r. Since trace distance is preserved by unitary operations and is only smaller for subsystems 
and since after this Alice follows the rest of the reveal phase honestly, we can conclude the following: the 
final state resulting with Bob will have trace distance at most 2/y/r with the state with him at the end of 
a completely honest run of the protocol in which Alice starts with c in the input register. Hence it follows 
from Thm. [10] that Bob will accept at the end with probability at least 1 — l/^/r since he was accepting with 
probability 1 in the complete honest run of the protocol . Hence the overall cheating probability p c of Alice 
is at least (1 - l/r)2- rk "{\ - l/y/r). 

Although here we have imagined Alice doing an intermediate measurement on the single qubit register 
C 2 , it is not necessary and she will have the same cheating probability when she proceeds with the rest of 
the honest protocol after just applying the cheating transformation A c since the final qubits of Bob will be 
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in the same state in either case. Now, 

C 

> (1-1/0(1 

>(l-l/r)(l 
>(l-l/r)(l 

The first inequality comes from definition of a in Dcfn. [1] The third inequality comes from the convexity 
of the exponential function and the fourth inequality comes from definition of b in Defn. [TJ Defn. [5] and 
concavity of the square root function. 

Now when b > 15, we let r = 1 + i and therefore, 

(1 - l/r)(l - l/V?)2- f -("+ 6 ^+ T + 4 ) > 2 -< 6 + 6 ^ +7 > 

v ' v ; - (b+ l) 2 

> 2-(h+8v^+T+8) 

When 6 < 15, we let r = 1 + 1/15 and therefore, 

(1 - l/r)(l - l/Vf)2- r(h+6 ^ 5 + T+4) > 2-( b + 6 ^ 5 + T + 16 ) 
Therefore we get always, 2 a ~™ > 2 _ ( b + 8v/f> + 1+16 ) which finally implies, 

a + b + 8\/b+ 1 + 16 > n. 

□ 

Proof of Thm. [2} Let b m represent the concealing parameter for H m . It is easy to verify from Lem.[T]and 
definition of Holevo-x information, Defn. [2j that b — b m /m. Then Thm. [4] when applied to 7T m implies, 

8^b m + 2 + 17 > ran 
=> lim — (a m + b m + 8\/b m + 2 + 17) > n 
a + b > n 

□ 

Proof of Thm. [5l Let fi = {X x } be the distribution on {0, 1}" obtained from Thm. [9l Consider a cheating 
strategy of Alice in which she puts the superposition ^ x y/X^\x) in the register where she keeps the commit 
string. Let c be the string in the cheating register of Alice. Now by arguments as above probability of success 
p c for Alice is at least (1 — l/^/r)(l — l/r)2~ rkc where k c ,p c ,p being as before. Since for all c, D(p c ||p) < b 
it implies (by setting r appropriately) Vc,p c > 2~( b+8v/b+1+16 '. □ 

Remark: Let us now see how, with a good probability overall, Alice will be able to prevent herself from 
being detected cheating by Bob. Let Alice have c in the cheating register. Let r c be the probability of getting 
one on performing the two outcome measurement (obtained from Thm. [7]) after the commit phase as in the 
cheating strategy described above in proof of Thm. 03 In case she gets one, she proceeds with the cheating 
strategy. In case she gets zero, she tries to rollback so that she can successfully reveal at least some string 
to Bob. For this she does the following. 

1. She applies the transformation A\ (that is inverse of A c ). 

2. She measures the input register in the computational basis and say she obtains x' . 



1 /Vr) ^^p c 2 _r(D(Pc||pB)+6 V D (P'=ll' 9 B)+ 1 + 4 ) 

l/ y /f)2^'c -^Pc(D(p c || / 9 B )+6^D(p c ||p B ) + l+4) 

l/^)2- r ( fc+6 ^ TT+4 ) 
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3. She proceeds with the rest of the reveal phase as if her actual input was x' . 

Assume that Alice obtains zero on performing the two-outcome measurement as in the cheating strategy 
described above which happens with probability 1 — r c . Now it can be verified that the trace distance between 
\^c){^c\ and the combined state of Alice and Bob after obtaining zero on performing the measurement is at 
most 2r c . Since, A\ is unitary, this implies that the combined state of Alice and Bob after applying AJ., and 
IV'XV'I will be at most 2r c . Now we can argue as before that Alice can reveal some string successfully to Bob 
with probability at least 1 — r c . Therefore overall, the probability that Alice will be able to reveal some string 
is at least r c + (1 — r c ) 2 > 1 — r c . Now since typically r c is quite small (like 2~ b ), 1 — r c is quite close to 1. 
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A Separations for £(£) and 

Let £ — {l/2 n ,p x } be an ensemble with x G {0,1}™. Let p = J2 x 2~ n p x . Lets assume that for all x, p x 
commutes with p as is the case in classical ensembles. We show that in this case £(£) > x{£)- Consider, 

e(£)=n + log^Tr(2->- 1 /V) 2 

X 

X 

— l°gTr(p~ 1/ ' 2 l p x ) 2 (from concavity of log function) 

X 

= 2~ n ^ \ogTv(p x p~ l p x ) (since p x ,p commute) 

X 

— ~^ r P x ^°&(PxP _1 ) (since log Tr£?yl > TrA log 5, for A, B quantum states) 

X 

= 2~ n ^ Tr /^ (log p x - log p) (since p x , p commute) 

a: 

= x(£) 

Next we show that there exists classical ensembles for which could be exponentially larger than 
%(£)• Consider the ensemble of classical distributions {2~ n ,P x } for x G {0, 1}™. Here each P x has support 
on {0, 1}™. Let e G (0, 1) be a constant. Let P x (x) = 2~^~ and let the other values for P x (y),y ^ x be the 

same. Let P = f ~^2 x 2~ n P x . It is easy to verify that in this case P is the uniform distribution on {0,1}™. 
Now, 

^)=n + log^Tr(2- 2 "F- 1 P ;c 2 ) 

X 

= -n + log^Tr(F- 1 P 2 ) 

X 

> —n + logj^ 2 n ( 1-e ) (since for all x, TrP _1 P^ > 2 n ^ 1- ^ and since log is monotonic) 

X 

= -n + log2" (2 - e) 
= n(l - e) 

Also we note that for all x, TrP x (\ogP x — log P) < • n ■ (1 — e/2) and hence, 

a; 

< 2- n ^2-¥ -n - (l-e/2) 

a; 

= 2"T -n-(l-e/2) 

Therefore by letting e to be a constant very close to 0, we can let to be very close to n whereas x{£) 
would still be exponentially small in n. 



10 



